CVE-2025-56399
Published: 28 October 2025
Summary
CVE-2025-56399 is a high-severity Code Injection (CWE-94) vulnerability in Laravel File Manager (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates comprehensive server-side validation of uploaded file contents to reject PHP code disguised as .png images, directly addressing the inadequate validation flaw.
Restricts file uploads to only authorized types and extensions, preventing acceptance of files that could be renamed to executable .php.
Deploys malicious code scanning at upload entry points to detect and block or quarantine PHP code in disguised files before storage or execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows authenticated attackers to exploit a public-facing web file manager (T1190) by uploading a malicious file with embedded PHP code disguised as .png, renaming it to .php, and executing it as a web shell (T1505.003), enabling remote code execution.
NVD Description
alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload…
more
appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code.
Deeper analysisAI
CVE-2025-56399, published on 2025-10-28, is a code injection vulnerability (CWE-94) in the alexusmai/laravel-file-manager package, affecting version 3.3.1 and prior releases. It enables remote code execution (RCE) through a crafted file upload in the file manager interface. The issue stems from inadequate server-side validation, where files disguised with a .png extension but containing PHP code can bypass client-side checks and be stored on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.
An authenticated attacker with low privileges can exploit this by uploading the malicious .png file via the file manager. After the file is saved despite apparent client-side failure, the attacker leverages the rename API endpoint to modify the extension to .php. Accessing the renamed file through its public URL then causes the server to execute the embedded PHP code, potentially granting full control over the application server, including data exfiltration, persistence, or further lateral movement.
Mitigation details and advisories are available from the vendor at http://laravel-file-manager.com and the GitHub proof-of-concept repository at https://github.com/Theethat-Thamwasin/CVE-2025-56399. Security practitioners should review these sources for patches, upgrades, or workarounds specific to the affected Laravel file manager installations.
Details
- CWE(s)